Hi Splunkers,
We have a customer that is collecting Check Point fw, ips, and vpn logs via Opsec. Check Point version is R77.
In the moment splunk is indexing about 30 gigabyte per day. If we look at the log directory at Check Point smartcenter we only see something about 3 gigabyte (rotating every 2GB) for the specific day but splunk has indexed 30 gigabyte.
I found out that check point logs are written in binary. But are they also saved in a compressed way?
Does anybody know how the opsec script from splunk is pulling the logs? Is it just reading the files or is there a api call directly to the smart center? How can we check why we have this gab between the logs files on the system and the indexed log volume?
Thanks in advance
↧